https://community.checkpoint.com/t5/Spark-Firewall-SMB/Connecting-Remote-Gateway-SMB-to-SMS-and-up-VPN-tunnel-site-to/m-p/239968#M12015 <P><STRONG>Greetings!</STRONG></P><P>I’d like to ask for assistance and advice regarding the setup of a site-to-site VPN tunnel. On one side, the provider offers a static IP address, while on the other side, the provider assigns a dynamic IP to the router. The router then provides a private (local) IP address to the SMB (Spark) gateway. Has anyone had similar experience?</P><P>How is it possible to manage the remote gateway (the one with the router using a dynamic IP)? Connecting to the SMB and setting up policies is more successful from the SMB gateway side than from the management side. However, attempts to manage it from the server side are unsuccessful. Policies don’t apply, and the tunnel isn’t established.</P><P>The two gateways that should be connected by the tunnel are in different countries. I’d greatly appreciate any help. Is it perhaps necessary to forward ports on the provider’s router?</P> Wed, 29 Jan 2025 13:30:59 GMT Ok1 2025-01-29T13:30:59Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Connecting-Remote-Gateway-SMB-to-SMS-and-up-VPN-tunnel-site-to/m-p/239968#M12015 <P><STRONG>Greetings!</STRONG></P><P>I’d like to ask for assistance and advice regarding the setup of a site-to-site VPN tunnel. On one side, the provider offers a static IP address, while on the other side, the provider assigns a dynamic IP to the router. The router then provides a private (local) IP address to the SMB (Spark) gateway. Has anyone had similar experience?</P><P>How is it possible to manage the remote gateway (the one with the router using a dynamic IP)? Connecting to the SMB and setting up policies is more successful from the SMB gateway side than from the management side. However, attempts to manage it from the server side are unsuccessful. Policies don’t apply, and the tunnel isn’t established.</P><P>The two gateways that should be connected by the tunnel are in different countries. I’d greatly appreciate any help. Is it perhaps necessary to forward ports on the provider’s router?</P> Wed, 29 Jan 2025 13:30:59 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Connecting-Remote-Gateway-SMB-to-SMS-and-up-VPN-tunnel-site-to/m-p/239968#M12015 Ok1 2025-01-29T13:30:59Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Connecting-Remote-Gateway-SMB-to-SMS-and-up-VPN-tunnel-site-to/m-p/239972#M12016 <P>In this setting, only the SMB behind the router with dynamic IP is able to initiate the VPN tunnel. So it would make more sense to configure it as locally managed and use a permanent tunnel. But you can open a SR# with CP TAC to get more information about possible configurations fitting your purpose !</P> <P>&nbsp;</P> Wed, 29 Jan 2025 14:10:44 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Connecting-Remote-Gateway-SMB-to-SMS-and-up-VPN-tunnel-site-to/m-p/239972#M12016 G_W_Albrecht 2025-01-29T14:10:44Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Connecting-Remote-Gateway-SMB-to-SMS-and-up-VPN-tunnel-site-to/m-p/239980#M12017 <P>My 2 cents, static IP is in most cases the best option. Even if you do a local mgmt what if the ISP changes the IP? How are you going to manage it from home? Then you need to find a way like manage via tunnel.&nbsp;</P> <P>My experience to connect to central mgmt dynamic IP can work but could be a bit more complex. Static ip will make it more easy for you.&nbsp;</P> Wed, 29 Jan 2025 15:32:31 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Connecting-Remote-Gateway-SMB-to-SMS-and-up-VPN-tunnel-site-to/m-p/239980#M12017 Lesley 2025-01-29T15:32:31Z